Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem )

[Dave Piscitello <dave () corecom com>]

> In my humble opinion, corporate security people not authenticing and
> filtering/monitoring traffic heading off the corporate network is a like
> airport personel not verifying individuals identities who are on an outbound
> airplane, or checking what they are carrying.  99.99% of the time nothing
> happens, that last 1% can be very painful though.
-------------
>That's when positive
>authentication is necessary.  One needs to know its positively Jane Doe that
>went to the porn site (which is against policy) or it was someone who sat
>down at her authenticated workstation when she walked away without logging
>off (which is against policy) before disciplinary actions are initiated.


You'll need non-repudiable authentication (evidence), as a court of law 
would describe.
How would you propose to verify Jim was at Jane's workstation at the time 
of the porn site visit?
In addition to "strong authentication" as we define it today, do you 
propose cameras? Keyloggers that distinguish typing behavior?

Something that's annoyed me for ages is the distinction that policy 
violations conducted through computing and networking are so different from 
any other medium. If an employee uses his phone card to dial a phone sex 
number during work hours, from a business phone, is it as serious an 
offense (granted, there's no temporary or long term cache of the "image" 
unless he's taped the conversation). What about print media and fax 
(although I've never heard of fax sex?)

Content inspection is an odd business, and it seems perpetually focused on 
computer networking. My point is that I've seen some policies that don't 
uniformly treat all media - it's acceptable to have a sexy calendar, but 
not to visit Victoria's Secret online, or thumb through PlayBoy during 
lunch? I've told folks that such policies are an HR nightmare waiting to 
happen.

I wrote a paper a while ago on this subject, but I think it's still 
accurate and hopefully relevant
http://www.tisc2002.com/newsletters/211.html

At 02:38 PM 8/23/2002 -0400, B Scott Harroff wrote:
> One needs to know its positively Jane Doe that
> went to the porn site (which is against policy) or it was someone who sat
> down at her authenticated workstation when she walked away without logging
> off (which is against policy) before disciplinary actions are initiated.


David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards